Here’s a simple guide to help you ask the right questions and gain confidence in your suppliers' cyber security practices.
Who Handles Cyber Security?
Knowing who is responsible for cyber security at your supplier’s organisation is the first step. It’s important to confirm that they have qualified staff managing cyber risks.
Questions to Ask:
- Who is responsible for cyber security at your company?
- Do they have proper skills and experience?
- Are senior leaders aware of their cyber security responsibilities?
Are They Prepared for a Cyber Incident?
Cyberattacks and data breaches happen all the time. It’s crucial to know if your supplier is prepared to handle an incident and recover quickly.
Questions to Ask:
- Do you have a plan to manage and recover from cyber incidents?
- Have you experienced any major security breaches?
- What’s your plan for keeping our services running if you suffer a cyberattack?
- How quickly will you report an incident to us?
How Do They Protect Their Network?
Your supplier’s network security directly impacts your business. It’s important to understand how they protect their systems from threats.
Questions to Ask:
- How do you protect your network from external threats like hackers?
- If you use Cloud services, how are they secured?
- Who has access to your network, and how do you control it?
- How do you secure remote access to your network?
How Do They Protect Data?
Data security is critical, especially if you handle sensitive or personal information. You need to be sure they’re taking steps to protect you as well.
Questions to Ask:
- Do you encrypt data on portable devices (like laptops) in case they’re lost or stolen?
- How do you secure data when it’s being transferred (like through emails)?
- How do you prevent unauthorised data transfers from your network?
Do They Outsource Any Services?
If your supplier outsources services to other countries, there could be extra risks, especially when it comes to data privacy laws.
Questions to Ask:
- Do you outsource any part of your services? If so, where?
- What security measures are in place for these services?
- Will you notify us if anything changes with your outsourced operations?
How Do They Handle Employee Security?
Employees can sometimes be the weakest link in cyber security. It’s important that your supplier is actively managing internal security risks.
Questions to Ask:
- Do you perform background checks on employees?
- Do you provide security training to your staff?
- How do you encourage employees to report security issues without fear of blame?
Is Their Physical Security Strong?
Physical security, such as securing buildings or data centres, is just as important as digital security.
Questions to Ask:
- How do you physically protect your premises and data centres?
- How do you securely dispose of sensitive documents?
Do They Conduct Independent Security Testing?
Independent security audits and testing help ensure that a supplier’s cyber security measures are working properly.
Questions to Ask:
- Do you perform independent security tests (like penetration testing)?
- Do you hold any cyber security certifications (like Cyber Essentials or ISO27001)?
What Are the Contractual Security Requirements?
Lastly, your contract with the supplier should clearly outline cyber security expectations, especially around incident reporting and data protection.
Questions to Ask:
- Does our contract require you to meet specific security standards?
- What happens to our data if the contract ends? How will you securely delete or return it?
Asking these simple but crucial questions will help you better understand your suppliers’ cyber security measures. Ensuring they have strong security in place will reduce risks to your business and help you maintain trust with your customers and partners.
Contact us today to find out more or book a free 30-minute strategy call. Let’s discuss how we can help you assess your suppliers’ cyber security and reduce your risk.
